@clerk/nuxt (>=2.0.1-canary.v20260303211310 <=2.2.5-snapshot.v20260421194054) potentially affected by CVE-2026-42349 via @clerk/vue (>=2.0.1-canary.v20260303211310 <=2.0.16-snapshot.v20260421194054)

@clerk/vue NPM version =2.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =2.2.5-snapshot.v20260421194054 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.18-snapshot.v20260421194054) +9 more potentially affected by CVE-2026-42349 via @clerk/backend (>=3.0.0 <=3.2.14-snapshot.v20260421194054)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

EUVD-2026-25632

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...

CVE-2026-41248

The CVE-2026-41248 affects Clerk JavaScript repositories: createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by crafted requests, bypassing middleware gating and reaching downstream handlers. Affected fixes are: @clerk/astro 1.5.7, 2.17.10, 3.0.15; @clerk/nextjs 5....

Incorrect Authorization

Overview @clerk/nuxt is a Clerk SDK for Nuxt Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests tha...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.19-canary.v20260422163039) +9 more potentially affected by CVE-2026-34076 via @clerk/backend (>=3.0.0 <=3.2.3-snapshot.v20260327200941)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

@async-atharv/ipaship (>=1.2.1 <=1.2.2), @bentwnghk/chat (>=1.85.2 <=1.107.2) +96 more potentially affected by CVE-2025-53548 via @clerk/backend (>=2.0.0 <=2.33.5)

@clerk/backend NPM version =2.0.0, =1.2.1, =1.85.2, =0.0.1, =3.0.3, =0.1.0, =2.8.0-snapshot.v20250514155045, =1.5.0-snapshot.v20250514155045, =2.3.0, =6.20.0-snapshot.v20250514155045, =1.7.0, =1.5.0, =4.8.0, =0.16.0, =1.7.0-snapshot.v20250514155045, =1.0.4, =1.0.7 and more Source cves:...